From 9028b3706ee4faa79dcf5cd01864e03c47b1c30b Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sun, 7 Sep 2025 21:57:07 +0100
Subject: [PATCH] Fix GH-19751: imagefill buffer overflow.
---
 ext/gd/libgd/gd.c &#124; 6 ++++++
 1 file changed, 6 insertions(+)
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 0bd6e4b587e9f..2109c807575c7 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -2043,6 +2043,12 @@ static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
 	FILL_PUSH(y+1, x, x, -1);
 	while (sp>stack) {
 		FILL_POP(y, x1, x2, dy);
+		if (y> im->sy) {
+			y = im->sy;
+		}
+		if (x> im->sx) {
+			x = im->sx;
+		}
 		for (x=x1; x>=0 && (!pts[y][x] && gdImageGetPixel(im,x,y)==oc); x--) {
 			nc = gdImageTileGet(im,x,y);
 			pts[y][x] = 1;
</div><div class="naked_ctrl">
<form action="/index.cgi/contrast" method="get" name="gate">
<p><a href="http://altstyle.alfasado.net">AltStyle</a> によって変換されたページ <a href="https://patch-diff.githubusercontent.com/raw/php/php-src/pull/19753.patch">(-&gt;オリジナル)</a>
/ <label>アドレス: <input type="text" name="naked_post_url" value="https://patch-diff.githubusercontent.com/raw/php/php-src/pull/19753.patch" size="22" /></label> <label>モード: <select name="naked_post_mode">
<option value="default">デフォルト</option>
<option value="speech">音声ブラウザ</option>
<option value="ruby">ルビ付き</option>
<option value="contrast" selected="selected">配色反転</option>
<option value="larger-text">文字拡大</option>
<option value="mobile">モバイル</option>
</select>
<input type="submit" value="表示" />
</p>
</form>
</div>